A device identification framework allows a server to uniquely identify a client computing device that requests access to information and resources hosted by the server. Device identification frameworks are used in a wide range of applications including authentication, software licensing, digital content licensing, software update notification, and targeted content distribution. For example, a device identification framework can be implemented in conjunction with a trial program that provides a consumer with free or discounted access to an otherwise restricted resource, such as a software program or multimedia content, for a limited time. Such a trial program relies on a device identification framework to uniquely and reliably identify individual devices. Otherwise, consumers could abuse the trial program by, for example, repeatedly enrolling in a 30-day trial program every month. Device identification frameworks are also used for analytical purposes, for example to track how often recipients of the aforementioned free trial elect to ultimately purchase the software or content that was initially sampled. And as yet another example, a device identification framework can be implemented as part of a two-factor authentication process that combines knowledge-based authentication (such as a password, pattern, or the like) with device-based authentication (such as a recognized computer, smartphone, or the like). Regardless of the particular implementation, existing device identification frameworks generally use a device identifier that, as its name implies, comprises information that identifies a particular client computing device. The device identifier can be based on, for example, a manufacturer-provided identification number, a machine identification code, a telephone number, a mobile identifier, a serial number, a version number, a hardware configuration, or a performance specification. Ideally, the device identifier cannot be manipulated by a consumer, and will uniquely identify a particular client device with respect to all other devices which might interact with a given server.
In theory, a uniquely-assigned device identifier will support a robust device identification framework that allows a server to reliably identify clients that interact with the server. However, as a practical matter, there are several reasons why it is not feasible to rely solely on a client-originated device identifier for device identification. For one thing, in many instances a client cannot be trusted to reliably identify itself with the same device identifier. This may be because the client has an unstable hardware configuration or a defect in the device identifier computation logic. Or it may be because a user has changed, misrepresented, or otherwise manipulated the device identifier with malicious intent. Another reason why relying solely on a client-originated device identifier is inadvisable is because it is impossible to ensure that a given device identifier is truly unique. This is particularly true given that manufacturers are often not scrupulous in assigning identifiers to their devices. Duplicate device identifiers may also arise when a device is virtualized or cloned, for example by a cunning user seeking to exploit a device-based license provided by a software vendor or content provider. This results in the somewhat confusing scenario wherein some devices with duplicate identifiers are acceptable (for example, in the case of the unscrupulous manufacturer), whereas other devices with duplicate identifiers are not (for example, in the case of the cunning user who clones a device). Attempting to resolve this confusion by manipulating how the device identifier is initially assigned will result in significant changes to existing licensing frameworks and installed computing device configurations, and thus is not considered a viable solution from a scalability standpoint. Therefore a more robust device identification framework is sought. Ideally, such a framework would be resistant to challenges presented by cloned devices and duplicate device identifiers, and could be implemented without fundamentally altering existing client architecture or client-server communication systems.